undefined | Better HN

0 pointsWesolyKubeczek2y ago0 comments

You can still sneak nefarious stuff if you have a lot of reputation score so that most people who actually put their eyeballs on the stuff tend to trust you blindly, especially if the development on the project is so active that you don't have the bandwidth to inspect all the changes.

There is also the mighty bystander effect at play: surely, someone else is going to look at it. Someone else will have time to test it. He's our hero, the Someone-Else-Man!

Mind you, it only takes to catch you once, and your mountain of reputation will poof out of existence in an eyeblink. This is the price.

Mind you, asking to downplay a vulnerability "because it's in an experimental module not built by default" would make me suspicious on the simple grounds that even if a module is experimental, you ship it alongside your stable code, and for sure someone builds it and is using it. Depending on who those users might be, there could be also parties interested in them not patching the vulnerability for as long as possible.

This sounds paranoid for sure, but your being paranoid doesn't mean there's nobody out to get you!

0 comments

arp2422y ago

I never said it's perfect, but at least I have an opportunity to inspect things.

WesolyKubeczekOP2y ago

Yes, this is exactly the counter-argument I always make whenever someone says "but there are never the eyeballs to inspect open source, see Heartbleed, so why bother, it's not better", blablabla.

But at least I have the option, dammit! Contrary to the proprietary software where your problem will be diligently filed into a ticket, given a number, and be left to rot.

Which doesn't change the fact that people are lazy and do turn the blind eye... :-( and sometimes the Someone-Else-Man won't come and save the day. But that's just life.

j / k navigate · click thread line to collapse